International Association
for Cryptologic Research

This paper presents a very practical key recovery attack on Speck32/64 reduced to 11 rounds based on a novel type of differential distinguisher using machine learning. These distinguishers exceed distinguishers based on the entire differential distribution table of Speck32/64 in accuracy, specificity and sensitivity. We show that they obtain significant gain from features of the output distribution that are invisible to the differential distribution table. The key recovery attack has been completely verified empirically and has an average runtime of approximately three minutes on a desktop computer with a fast graphics card or about 30 minutes on the same machine when not using the graphics card. This corresponds to roughly 41 bits of remaining security for 11-round Speck32/64, which is a substantial improvement over previous literature. The average data complexity of our attack is slightly lower than the best previous attack on the same number of rounds.

While our attack is based on a known input difference taken from the literature, we also show that neural networks can be used to rapidly (within a matter of minutes on our machine) find good input differences without using prior human cryptanalysis.

In non-zero inner product encryption (NIPE) schemes, ciphertexts and secret keys are associated with vectors and decryption is possible whenever the inner product of these vectors does not equal zero. So far, much effort on constructing bilinear map-based NIPE schemes have been made and this has lead to many efficient schemes. However, the constructions of NIPE schemes without bilinear maps are much less investigated. The only known other NIPE constructions are based on lattices, however, they are all highly inefficient due to the need of converting inner product operations into circuits or branching programs.

To remedy our rather poor understanding regarding NIPE schemes without bilinear maps, we provide two methods for constructing NIPE schemes: a direct construction from lattices and a generic construction from functional encryption schemes for inner products (LinFE). For our first direct construction, it highly departs from the traditional lattice-based constructions and we rely heavily on new tools concerning Gaussian measures over multi-dimensional lattices to prove security. For our second generic construction, using the recent constructions of LinFE schemes as building blocks, we obtain the first NIPE constructions based on the DDH and DCR assumptions. In particular, we obtain the first NIPE schemes without bilinear maps or lattices.

We present a modification to the ZKPoKs used in the HighGear offline protocol for the SPDZ Multi-Party Computation protocol. This modification allows us to both increase the security of the underlying protocols, whilst at the same time maintaining roughly the same performance in terms of memory and bandwidth consumption. The last two being major constraints of the original HighGear protocol. We argue the inefficiency of HighGear means that current implementations of SPDZ use far too low security parameters in a number of places. We show that using TopGear one can select high security parameters for all cases.

Bitcoin, being the most successful cryptocurrency, has been repeatedly attacked with many users losing their funds. The industry's response to securing the user's assets is to offer tamper-resistant hardware wallets. Although such wallets are considered to be the most secure means for managing an account, no formal attempt has been previously done to identify, model and formally verify their properties. This paper provides the first formal model of the Bitcoin hardware wallet operations. We identify the properties and security parameters of a Bitcoin wallet and formally define them in the Universal Composition (UC) Framework. We present a modular treatment of a hardware wallet ecosystem, by realizing the wallet functionality in a hybrid setting defined by a set of protocols. This approach allows us to capture in detail the wallet's components, their interaction and the potential threats. We deduce the wallet's security by proving that it is secure under common cryptographic assumptions, provided that there is no deviation in the protocol execution. Finally, we define the attacks that are successful under a protocol deviation, and analyze the security of commercially available wallets.

In this work, we revisit the primitive functional encryption (FE) for inner products and show its application to decentralized attribute- based encryption (ABE). Particularly, we derive an FE for inner prod- ucts that satisfies a stronger notion, and show how to use such an FE to construct decentralized ABE for the class $\{0,1\}$-LSSS against bounded collusions in the plain model. We formalize the FE notion and show how to achieve such an FE under the LWE or DDH assumption. Therefore, our resulting decentralized ABE can be constructed under the same standard assumptions, improving the prior construction by Lewko and Waters (Eurocrypt 2011). Finally, we also point out challenges to construct decentralized ABE for general functions by establishing a relation between such an ABE and witness encryption for general NP statements.

We consider the problem of constructing Diffie-Hellman (DH) parameters which pass standard approaches to parameter validation but for which the Discrete Logarithm Problem (DLP) is relatively easy to solve. We consider both the finite field setting and the elliptic curve setting.

For finite fields, we show how to construct DH parameters $(p,q,g)$ for the safe prime setting in which $p=2q+1$ is prime, $q$ is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and $g$ is of order $q$ mod $p$. The construction involves modifying and combining known methods for obtaining Carmichael numbers. Concretely, we provide an example with 1024-bit $p$ which passes OpenSSL's Diffie-Hellman validation procedure with probability $2^{-24}$ (for versions of OpenSSL prior to 1.1.0i). Here, the largest factor of $q$ has 121 bits, meaning that the DLP can be solved with about $2^{64}$ effort using the Pohlig-Hellman algorithm. We go on to explain how this parameter set can be used to mount offline dictionary attacks against PAKE protocols.

In the elliptic curve case, we use an algorithm of Broker and Stevenhagen to construct an elliptic curve $E$ over a finite field ${\mathbb{F}}_p$ having a specified number of points $n$. We are able to select $n$ of the form $h\cdot q$ such that $h$ is a small co-factor, $q$ is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and $E$ has a point of order $q$. Concretely, we provide example curves at the 128-bit security level with $h=1$, where $q$ passes a single random-base Miller-Rabin primality test with probability $1/4$ and where the elliptic curve DLP can be solved with about $2^{44}$ effort. Alternatively, we can pass the test with probability $1/8$ and solve the elliptic curve DLP with about $2^{35.5}$ effort. These ECDH parameter sets lead to similar attacks on PAKE protocols relying on elliptic curves.

Our work shows the importance of performing proper (EC)DH parameter validation in cryptographic implementations and/or the wisdom of relying on standardised parameter sets of known provenance.

An emerging trend is for researchers to identify cryptography primitives for which feasibility was first established under obfuscation and then move the realization to a different setting. In this work we explore a new such avenue — to move obfuscation-based cryptography to the assumption of (positional) witness encryption. Our goal is to develop techniques and tools, which we will dub “witness encryption friendly” primitives and use these to develop a methodology for building advanced cryptography from positional witness encryption. We take a bottom up approach and pursue our general agenda by attacking the specific problem of building collusion-resistant broadcast systems with tracing from positional witness encryption. We achieve a system where the size of ciphertexts, public key and private key are polynomial in the security parameter $\lambda$ and independent of the number of users N in the broadcast system. Currently, systems with such parameters are only known from indistinguishability obfuscation.

In 2017, a practical attack, referred to as the signal leakage attack, against reconciliation-based RLWE key exchange protocols was proposed. In particular, this attack can recover a long-term private key if a key pair is reused. Directly motivated by this attack, recently, Ding et al. proposed two countermeasures against the attack. One is the RLWE key exchange protocol with reusable keys (KERK), which is included in the Ding Key Exchange, a NIST submission. The idea for this construction is using zero knowledge proof. The other is the practical randomized RLWE-based key exchange (PRKE) (TOC’18), which mixes more randomization. We found that the two countermeasures above can effectively prevent malicious Alice from recovering the private key of Bob when keys are reused. However, both countermeasures don’t consider the case where malicious Bob tries to recover the private key of Alice. In particular, malicious Bob can recover the private key of Alice by carefully choosing what he sends and observing whether shared keys match. By analyzing the complexities of these attacks, the results show these attacks are practical and effective. Notice that the key to carry out these attacks is that malicious Bob chooses a RLWE sample with the special structure as his public key. Therefore, other RLWE-based schemes, including KEM (or key exchange) and PKE, are also vulnerable to these attacks. In response to these attacks, we propose a mechanism where one party can construct a new ”public key” of the other party, and in order to illustrate the mechanism, we give an improved KERK.

It has been shown that, for appropriate parameters, solving the $\mathsf{SIS}$ problem in the average case is at least as hard as approximating certain lattice problems in the worst case %on any $n$-dimensional lattice to within polynomial factor $\beta\cdot\widetilde{O}(\sqrt n)$, where typically $\beta=O(\sqrt{n\log n})$ such that random $\mathsf{SIS}$ instances admit a solution. In this work, we show that $\beta=O(1)$, i.e., $\beta$ is essentially upper-bounded by a constant. This directly gives us a poly-time exhaustive search algorithm for solving the $\mathsf{SIS}$ problem (resulting in approximating certain worst-case lattice problems to within $\widetilde{O}(\sqrt n)$ factor). Although the exhaustive search algorithm is rather inefficient for typical setting of parameters, our result indicates that lattice-based cryptography is not secure, at least in an asymptotical sense. Our work is based on an observation of the lower/upper bounds on the smoothing parameter for lattices.

We present nQUIC, a variant of QUIC-TLS that uses the Noise protocol framework for its key exchange and basis of its packet protector with no semantic transport changes. nQUIC is designed for deployment in systems and for applications that assert trust in raw public keys rather than PKI-based certificate chains. It uses a fixed key exchange algorithm, compromising agility for implementation and verification ease. nQUIC provides mandatory server and optional client authentication, resistance to Key Compromise Impersonation attacks, and forward and future secrecy of traffic key derivation, which makes it favorable to QUIC-TLS for long-lived QUIC connections in comparable applications. We developed two interoperable prototype implementations written in Go and Rust. Experimental results show that nQUIC finishes its handshake in a comparable amount of time as QUIC-TLS.

Group signatures allow members of a group to anonymously produce signatures on behalf of the group. They are an important building block for privacy-enhancing applications, e.g., enabling user data to be collected in authenticated form while preserving the user’s privacy. The linkability between the signatures thereby plays a crucial role for balancing utility and privacy: knowing the correlation of events significantly increases the utility of the data but also severely harms the user’s privacy. Therefore group signatures are unlinkable per default, but either support linking or identity escrow through a dedicated central party or offer user-controlled linkability. However, both approaches have significant limitations. The former relies on a fully trusted entity and reveals too much information, and the latter requires exact knowledge of the needed linkability at the moment when the signatures are created. However, often the exact purpose of the data might not be clear at the point of data collection. In fact, data collectors tend to gather large amounts of data at first, but will need linkability only for selected, small subsets of the data. We introduce a new type of group signatures that provide a more flexible and privacy-friendly access to such selective linkability. When created, all signatures are fully unlinkable. Only when strictly needed or desired, should the required pieces be made linkable with the help of a central entity. For privacy, this linkability is established in an oblivious and non-transitive manner. We formally define the requirements for this new type of group signatures and provide an efficient instantiation that provably satisfies these requirements under discrete-logarithm based assumptions.

Non-malleable asymmetric encryption schemes which prove plaintext knowledge are sufficient for secrecy in some domains. For example, ballot secrecy in voting. In these domains, some applications derive encryption schemes by coupling malleable ciphertexts with proofs of plaintext knowledge, without evidence that the sufficient condition (for secrecy) is satisfied nor an independent security proof (of secrecy). Consequently, it is unknown whether these applications satisfy desirable secrecy properties. In this article, we propose a generic construction for such a coupling and show that our construction produces non-malleable encryption schemes which prove plaintext knowledge. Furthermore, we show how our results can be used to prove ballot secrecy of voting systems. Accordingly, we facilitate the development of applications satisfying their security objectives.

Automatic tools have played an important role in designing new cryptographic primitives and evaluating the security of ciphers. Simple Theorem Prover constraint solver (STP) has been used to search for differential/linear trails of ciphers. This paper proposes general STP-based models searching for differential and linear trails with the optimal probability and correlation for S-box based ciphers. In order to get trails with the best probability or correlation for ciphers with arbitrary S-box, we give an efficient algorithm to describe probability or correlation of S-Box. Based on the algorithm we present a search model for optimal differential and linear trails, which is efficient for ciphers with S-Boxes whose DDTs/LATs contain entities not equal to the power of two. Meanwhile, the STP-based model for single-key impossible differentials considering key schedule is proposed, which traces the propagation of values from plaintext to ciphertext instead of propagations of differences. And we found that there is no 5-round AES-128 single-key truncated impossible differential considering key schedule, where input and output differences have only one active byte respectively. Finally, our proposed models are utilized to search for trails of bit-wise ciphers GIFT-128, DES, DESL and ICEBERG and word-wise ciphers ARIA, SM4 and SKINNY-128. As a result, improved results are presented in terms of the number of rounds or probabilities/correlations.

In 2018, Shi et al. 's showed that Kaushik et al.'s quantum signature scheme is defective. It suffers from the forgery attack. They further proposed an improvement, trying to avoid the attack. However, after examining we found their improved quantum signature is deniable, because the verifier can impersonate the signer to sign a message. After that, when a dispute occurs, he can argue that the signature was not signed by him. It was from the signer. To overcome the drawback, in this paper, we raise an improvement to make it publicly verifiable and hence more suitable to be applied in real life. After cryptanalysis, we confirm that our improvement not only resist the forgery attack but also is undeniable.

Subspace Labs is building the future of decentralized cloud-based services. The subspace protocol and ecosystem enables developers to easily build web and mobile apps that give end users full ownership and control over their data. We are venture backed and have received a National Science Foundation (NSF) research grant to fund this position. We are seeking a Cryptographer who has familiarity with the blockchain space and existing decentralized protocols to help us develop and implement a new set of cryptographic primitives while ensuring the protocol is secure across a public network of untrusted nodes.

Requirements

• An MS or Ph.D. in cryptography or computer security

• Proficiency in at least one of the following languages: C,Python, Rust or Javascript. Proficiency in NodeJS and Typescript is a plus.

• Previous work and contribution to open-source projects, especially those dealing with blockchains or decentralized protocols.

• Experience with Proof-of-Space, Proof-of-Storage and Proof-of-Time cryptographic primitives

• Experience with the OpenPGP protocol, specifically OpenPGP-JS

• Experience with a canonical signature scheme such as BLS

• Local to the San Francisco Bay Area or willing to relocate

• Must be based in the United States for grant compliance purposes.

Responsibilities

• Develop and implement a hybrid proof-of-space that allows for both blockchain consensus and validation of storage pledges

• Select and implement a lightweight proof-of-replication, possibly based on Verifiable Delay Functions (VDFs)

• Take over primary responsibility for the Subspace Credit Leger, a modular component of the Subspace Protocol that is an early implementation of a Proof of Space-Time blockchain

• Optimize the existing usage of OpenPGP JS, explore replacement with another cryptosystem, and implement a canonical signature scheme for immutable records.

• Conduct a full security analysis of the protocol before developing and implementing necessary countermeasures

Closing date for applications: 31 January 2019

Contact: Jeremiah Wagstaff

Cofounder & CEO

jeremiah (at) subspace.network

More information: https://www.subspace.network

Nazarbayev University is seeking highly-qualified faculty at all ranks to join its rapidly growing Mathematics Department in the School of Science and Technology. All areas of mathematics will be considered but preference will be given to applied mathematics and statistics (broadly interpreted).

Successful candidates should hold a PhD in mathematics, statistics or in a related field and have excellent English-language communication skills and experience with Western higher education. Applicants for associate and full professor positions should have considerable experience in supervising students at the graduate level, possess strong teaching skills and experience, and a demonstrated rank-appropriate research accomplishment and service. Applicants for assistant professor level should demonstrate a potential for excellence in teaching, research, and service.

Position responsibilities include: teaching undergraduate and graduate level of courses (2-2 teaching load), supervision of graduate students, curricular and program development, ongoing engagement in professional and research activities, general program guidance and leadership, and other activities related to the intellectual and cultural environment of the university.

Nazarbayev University offers an attractive benefits package, including:

• competitive compensation
• free housing based on family size and rank
• relocation allowance
• no-cost medical insurance, with global coverage
• educational allowance for children
• air tickets to home country, twice per year

Closing date for applications: 31 March 2019

Contact: Applicants should send a detailed CV, teaching and research statements, and list of publications to sst.cv (at) nu.edu.kz. Review of applications will begin immediately but full consideration will be given to applications submitted no later than February 28th, 2019. Successful appointments are expected to begin on August 1st, 2019.

More information: http://sst.nu.edu.kz

Excellent Chinese students wishing to do a PhD degree in cyber security are invited to apply for PhD positions in the University of York, UK. PhD projects may be in the following broad areas of cyber security:

• applied cryptography, especially the design and implementation of cryptographic schemes and protocols with the aim of preserving user privacy and increasing user security, and
• usable security and privacy, i.e. security and privacy enhancing technologies that are designed to be usable by humans.

The exact project title and brief is to be discussed and finalised with the supervisor.

The scholarship is for Chinese students only and includes both a fee waiver and a living stipend. More information about the scholarship is available at: www.york.ac.uk/study/postgraduate-research/funding/china-scholarships

The final application deadline is 15 February 2019.

Potential candidates are encouraged to contact the supervisor Dr. Siamak F. Shahandashti in the first instance and as soon as possible by email at siamak.shahandashti (at) york.ac.uk and provide their CV, latest academic transcript, and one indicative piece of their research work (e.g. paper, thesis, report) for an initial assessment and discussion of PhD topic. Agreement on the PhD topic and proposal will be required for the final application.

Further information about the supervisor can be found through his homepage: www.cs.york.ac.uk/~siamak

York is a prestigious university in the UK and the Department of Computer Science is ranked top 10 in the UK in terms of research quality. More information about the university can be found here: www.york.ac.uk/about

Closing date for applications: 15 February 2019

Contact: Dr. Siamak F. Shahandashti | siamak.shahandashti (at) york.ac.uk | www.cs.york.ac.uk/~siamak

More information: https://www.york.ac.uk/study/postgraduate-research/funding/china-scholarships

Excellent students wishing to do a PhD degree in cyber security are invited to apply for PhD positions in the University of York, UK. PhD projects may be in the following broad areas of cyber security:

• applied cryptography, especially the design and implementation of cryptographic schemes and protocols with the aim of preserving user privacy and increasing user security, and
• usable security and privacy, i.e. security and privacy enhancing technologies that are designed to be usable by humans.

The exact project title and brief is to be discussed and finalised with the supervisor.

The scholarship is for non-UK/EU students only and includes both a fee waiver and a living stipend. More information about the scholarship is available at: www.york.ac.uk/study/postgraduate-research/funding/international/ygrs

The final application deadline is 31 January 2019.

Potential candidates are encouraged to contact the supervisor Dr. Siamak F. Shahandashti in the first instance and as soon as possible by email at siamak.shahandashti (at) york.ac.uk and provide their CV, latest academic transcript, and one indicative piece of their research work (e.g. paper, thesis, report) for an initial assessment and discussion of PhD topic. Agreement on the PhD topic and proposal will be required for the final application.

Further information about the supervisor can be found through his homepage: www.cs.york.ac.uk/~siamak

York is a prestigious university in the UK and the Department of Computer Science is ranked top 10 in the UK in terms of research quality. More information about the university can be found here: www.york.ac.uk/about

Closing date for applications: 31 January 2019

Contact: Dr. Siamak F. Shahandashti | siamak.shahandashti (at) york.ac.uk | www.cs.york.ac.uk/~siamak

More information: https://www.york.ac.uk/study/postgraduate-research/funding/international/ygrs

The Faculty of Mathematics, Informatics and Mechanics at University of Warsaw (MIM UW) invites applications for positions of an assistant professor (“adiunkt” in Polish) in Computer Science, starting on 1st October 2019.

MIM UW is one of the strongest computer science faculties in Europe. It is known for talented students (e.g., two wins and 13 times in top ten at the ACM International Collegiate Programming Contest) and strong research teams, especially in theoretical aspects of computer science like algorithms, logic and automata, cryptography (e.g., 8 ERC grants in these fields, 4 of them running at the moment). For an overview of research areas represented in the Faculty, see http://www.mimuw.edu.pl/en/dziedziny-badan

Requirements:

- PhD degree in computer science or mathematics

- Strong publication record in international computer science journals or conferences

- Teaching experience

- Mobility record (participation in conferences, research visits, postdoc positions, etc.)

In the current call, the position is offered in two variants:

1. standard \"tenure-track\" position, with teaching load of 210 hrs/year

2. a more \"postdoc-like\" position, for 2 or 4 years, with reduced teaching load (120hrs/year) -- only for candidates at most 5 years after obtaining PhD.

Deadline for applications: 31st January 2019.

More details, including application procedure can be found under the following links:

1. https://www.mimuw.edu.pl/rozne/konkursy-pliki/2019/praca-adiunkt-31-01-2019-en.pdf

2. https://www.mimuw.edu.pl/rozne/konkursy-pliki/2019/praca-adiunkt-s-eilenberg-31-01-2019-en.pdf

For more information about the procedure, requirements, conditions, etc. please contact a vice-director of Institute of Informatics, Lukasz Kowalik (kowalik (at) mimuw.edu.pl).

Closing date for applications: 31 January 2019

Within the scope of the Spanish \"Juan de la Cierva\" postdoctoral programme, the Research group on Cryptology and Information Security (GiCSI) of the Spanish National Research Council is seeking highly motivated professionals in conducting research in the area of blockchain-based protocols, security protocols and cryptographic privacy-enhancing technologies.

There are two types of Juan de la Cierva grants:

1. Juan de la Cierva Training Grants (Juan de la Cierva-Formación) are aimed at candidates that have been awarded their PhD between 01/01/2017 and 31/12/2018. These grants are aimed to complete their postdoctoral research training in Spanish R&D centers other than those in which they carried out their predoctoral training.

2. Juan de la Cierva Incorporation Grants (Juan de la Cierva-Incorporación) are aimed at those who were awarded their PhD between 01/01/2014 and 31/12/2016. These grants are intended to strengthen the grantee’s acquired skills during a first stage of postdoctoral training.

For more information about deadlines and other details, please refer to http://www.ciencia.gob.es/portal/site/MICINN/menuitem.dbc68b34d11ccbd5d52ffeb801432ea0/?vgnextoid=73d917cd13e77610VgnVCM1000001d04140aRCRD.

Interested candidates are encouraged to contact us as soon as possible.

Closing date for applications: 31 January 2019

Contact: David Arroyo, Tenured Scientist at the Spanish National Research Council (CSIC)

http://www.researcherid.com/rid/A-5167-2010

https://scholar.google.es/citations?user=IORMgpcAAAAJ&hl=es